CN112134777B - Trusted IPSec module and VPN tunnel construction method - Google Patents

Trusted IPSec module and VPN tunnel construction method Download PDF

Info

Publication number
CN112134777B
CN112134777B CN202010942922.XA CN202010942922A CN112134777B CN 112134777 B CN112134777 B CN 112134777B CN 202010942922 A CN202010942922 A CN 202010942922A CN 112134777 B CN112134777 B CN 112134777B
Authority
CN
China
Prior art keywords
ipsec
module
tee
vpn tunnel
protocol encapsulation
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202010942922.XA
Other languages
Chinese (zh)
Other versions
CN112134777A (en
Inventor
孟丹
孟慧石
贾晓启
侯锐
黄庆佳
武希耀
周梦婷
杜海超
白璐
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Institute of Information Engineering of CAS
Original Assignee
Institute of Information Engineering of CAS
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Institute of Information Engineering of CAS filed Critical Institute of Information Engineering of CAS
Priority to CN202010942922.XA priority Critical patent/CN112134777B/en
Publication of CN112134777A publication Critical patent/CN112134777A/en
Application granted granted Critical
Publication of CN112134777B publication Critical patent/CN112134777B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks
    • H04L12/4633Interconnection of networks using encapsulation techniques, e.g. tunneling
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks
    • H04L12/4641Virtual LANs, VLANs, e.g. virtual private networks [VPN]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0485Networking architectures for enhanced packet encryption processing, e.g. offloading of IPsec packet processing or efficient security association look-up
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/16Implementation or adaptation of Internet protocol [IP], of transmission control protocol [TCP] or of user datagram protocol [UDP]

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computing Systems (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The embodiment of the application provides a trusted IPSec module and a VPN tunnel construction method. By adopting the scheme in the application, the IPSec module in the terminal equipment is set to comprise an REE function group operating in an REE driving environment and a TEE function group operating in a TEE driving environment; the REE function group comprises an IPSec protocol encapsulation and analysis module and a TCP/IP protocol stack, and the TEE function group comprises an IPSec core module; and the storage module is respectively connected with the IPSec protocol encapsulation and analysis module and the IPSec core module. When a VPN tunnel is constructed, key data and a processing process are placed in a TEE driving environment for processing by utilizing the functions of hardware isolation, system isolation and the like of the TEE driving environment; meanwhile, a general IPSec protocol encapsulation analysis processing process and a data calling processing process of a TCP/IP protocol stack are placed in an REE driving environment for processing, so that the technical effects of reducing the load of a TEE system on the one hand, ensuring the safety and stability of key data information on the other hand, ensuring the communication safety and improving the communication efficiency are achieved.

Description

Trusted IPSec module and VPN tunnel construction method
Technical Field
The application relates to a network security technology, in particular to a trusted IPSec module and a VPN tunnel construction method.
Background
Internet Protocol Security (IPSec) is a Protocol packet whose principle is to protect the network transport Protocol suite of the IP Protocol by encrypting and authenticating packets of the IP Protocol.
In the prior art, a mobile terminal constructs a data tunnel by using VPN technologies such as IPSec and the like, so that information can be transmitted in the secure and reliable tunnel. However, since an insecure IPSec application environment and system vulnerabilities may exist in the mobile intelligent terminal side, it is easy for lawless persons to attack the VPN tunnel through the security vulnerabilities of the terminal system, and steal sensitive information. Therefore, a trusted IPSec component architecture is constructed from the terminal side, so that the establishment of a secure and stable IPSec tunnel has great significance for information transmission security and application security.
Therefore, the technical problem that lawless persons can use unsafe application environments and system bugs in a terminal equipment system to attack a VPN tunnel and steal important information and sensitive resources exists in the prior art.
Disclosure of Invention
The embodiment of the application provides a trusted IPSec module and a VPN tunnel construction method.
According to a first aspect of the embodiments of the present application, there is provided a trusted IPSec module, which is applied to a terminal device, and includes:
the REE functional group runs in an REE driving environment and comprises an IPSec protocol encapsulation and analysis module and a TCP/IP protocol stack;
the TEE functional group runs in a TEE driving environment and comprises an IPSec core module;
and the storage module is respectively connected with the IPSec protocol encapsulation and analysis module and the IPSec core module.
Optionally, when the terminal device is installed with a TEE client and a TA application, the TEE client operates in an REE driving environment;
the TA application is running in a TEE driven environment;
wherein the TEE client is interconnected with the TA application.
Optionally, the IPSec core module includes:
the system comprises an authentication information base, an IKE negotiation module, an SA database, an encryption and decryption engine and an IPSec processing module;
the IPSec core module does not comprise an IPSec protocol encapsulation analysis module and a TCP/IP protocol stack.
According to a second aspect of the embodiments of the present application, there is provided a VPN tunnel construction method applied to the IPSec module according to the first aspect, where the method includes:
the TEE client sends a starting instruction to enable the IPSec protocol encapsulation and analysis module to encapsulate an IPSec/IP protocol to obtain an IP protocol encapsulation packet, and the IP protocol encapsulation packet is stored in the storage module;
the TEE client sends a tunnel construction instruction carrying VPN tunnel construction requirement information so as to enable the TA application to initialize a context environment established by the VPN tunnel based on the tunnel construction instruction;
the TEE client sends out a first notification instruction so that the TA application notifies the IPSec core module to read the IP protocol encapsulation packet, and loads data information for constructing a VPN tunnel to the IP protocol encapsulation packet to obtain a VPN tunnel transmission data packet;
and sending the VPN tunnel transmission data packet through a trusted peripheral running in the Tee driving environment so that the terminal equipment establishes a VPN tunnel in the Tee driving environment.
Optionally, the notifying, by the TA application, the IPSec core module to read the IP protocol encapsulation packet, and loading the data information for constructing the VPN tunnel to the IP protocol encapsulation packet to obtain a VPN tunnel transmission data packet, where the notifying includes:
the TA application sends out a second notification instruction so that an IPSec processing module in the IPSec core module reads tunnel authentication information from an IPSec authentication information base in the IPSec core module; and/or reading negotiation data from an IKE negotiation module in the IPSec core module;
and the IPSec processing module loads the tunnel authentication information and the negotiation data to the IP protocol encapsulation packet to obtain the VPN tunnel transmission data packet.
Optionally, the constructing, by the terminal device, the VPN tunnel in the TEE driver environment includes:
after receiving a tunnel response data packet fed back by a tunnel object, the IPSec processing module stores the response data packet in the storage module, and sends a third notification instruction to the TA application;
the TEE client responds to the TA application, controls the IPSec protocol encapsulation analysis module to acquire and analyze the response data packet, acquires an analysis data packet and stores the analysis data packet in the storage module;
the TEE client sends a fourth notification instruction to the TA application so that the TA application notifies the IPSec processing module to control and read the analysis data packet;
and the IPSec processing module controls and updates corresponding data in the SA database based on the analysis data packet to finish VPN tunnel negotiation.
Optionally, the IPSec processing module controls and updates corresponding data in the SA database based on the analysis packet, and completes VPN tunnel negotiation, including:
after controlling and updating the corresponding data in the SA database, the IPSec processing module judges whether the negotiation with the tunnel object is completed;
if not, returning to the step: and the IPSec protocol encapsulation analysis module encapsulates the IPSec/IP protocol based on the tunnel construction instruction to obtain an IP protocol encapsulation packet.
Optionally, the sending, by the TEE client, a tunnel construction instruction carrying information of a VPN tunnel construction requirement includes:
initializing a value of a counter to a preset value by the TEE client;
if not, returning to the step: the IPSec protocol encapsulation analysis module encapsulates the IPSec/IP protocol based on the tunnel construction instruction to obtain an IP protocol encapsulation packet, and comprises the following steps:
and controlling the counter to adjust the preset value through the TEE client, wherein the adjusted preset value is the original preset value plus a unit value.
According to a third aspect of the embodiments of the present application, there is provided a terminal device, including a storage device, a processing device, and a computer program stored on the storage device and executable on the processing device, where the processing device implements the steps in the tunnel construction method according to the second aspect when executing the computer program.
According to a fourth aspect of embodiments of the present application, there is provided a computer-readable storage medium having stored thereon a computer program which, when executed by a processor, implements the steps in the tunnel construction method according to the second aspect.
The embodiment of the application provides a trusted IPSec module and a VPN tunnel construction method, an IPSec module in a terminal device is set as an REE function group operating in an REE driving environment and a TEE function group operating in a TEE driving environment, the REE function group comprises an IPSec protocol encapsulation analysis module and a TCP/IP protocol stack, and the TEE function group comprises an IPSec core module; and the storage module is respectively connected with the IPSec protocol encapsulation and analysis module and the IPSec core module. In the process of constructing the VPN tunnel, the key data and the processing process in the IPSec tunnel establishing process can be placed in the TEE driving environment for processing by using key functions of hardware isolation, system isolation and the like in the TEE driving environment; meanwhile, a general IPSec protocol encapsulation analysis processing process and a data calling processing process of a TCP/IP protocol stack can be placed in an REE driving environment for processing, so that the technical effects of reducing the load of a TEE system on the one hand, ensuring the safety and stability of key data information on the other hand, ensuring the communication safety and improving the communication efficiency are achieved.
The embodiment of the application at least has the following technical effects or advantages:
further, in the technical scheme of the embodiment of the present application, in the negotiation process of tunnel establishment, an IPSec protocol encapsulation and analysis processing process in the REE driving environment and a data retrieval process of a TCP/IP protocol stack may be performed in cooperation with core processing processes such as SA database update, IPSec key data encryption and decryption in the TEE driving environment, so that a VPN tunnel establishment negotiation process is completed in a safe and reliable process. The method has the technical effect of further ensuring the safety and stability of the VPN tunnel.
Drawings
The accompanying drawings, which are included to provide a further understanding of the application and are incorporated in and constitute a part of this application, illustrate embodiment(s) of the application and together with the description serve to explain the application and not to limit the application. In the drawings:
fig. 1 is a structural diagram of a trusted IPSec module according to an embodiment of the present application;
fig. 2 is a flowchart of a VPN tunnel construction method according to an embodiment of the present application.
Detailed Description
In the process of implementing the application, the inventor finds that in the prior art, a technical problem that lawless persons can use unsafe application environments and system bugs in a terminal equipment system to attack a VPN tunnel and steal important information and sensitive resources exists.
In view of the foregoing problems, an embodiment of the present application provides a trusted IPSec module and a VPN tunnel construction method, where an IPSec module in a terminal device may be set to include an REE function group operating in an REE driving environment and a TEE function group operating in a TEE driving environment, where the REE function group includes an IPSec protocol encapsulation and analysis module and a TCP/IP protocol stack, and the TEE function group includes an IPSec core module; and the storage module is respectively connected with the IPSec protocol encapsulation and analysis module and the IPSec core module. In the process of constructing the VPN tunnel, the key data and the processing process in the IPSec tunnel establishing process can be placed in the TEE driving environment for processing by using key functions of hardware isolation, system isolation and the like in the TEE driving environment; meanwhile, a general IPSec protocol encapsulation analysis processing process and a data calling processing process of a TCP/IP protocol stack can be placed in an REE driving environment for processing, so that the technical effects of reducing the load of a TEE system on the one hand, ensuring the safety and stability of key data information on the other hand, ensuring the communication safety and improving the communication efficiency are achieved.
The embodiment of the application at least has the following technical effects or advantages:
further, in the technical scheme of the embodiment of the present application, in the negotiation process of tunnel establishment, an IPSec protocol encapsulation and analysis processing process in the REE driving environment and a data retrieval process of a TCP/IP protocol stack may be performed in cooperation with core processing processes such as SA database update, IPSec key data encryption and decryption in the TEE driving environment, so that a VPN tunnel establishment negotiation process is completed in a safe and reliable process. The method has the technical effect of further ensuring the safety and stability of the VPN tunnel.
The scheme in the embodiment of the application can be implemented by adopting various computer languages, such as object-oriented programming language Java and transliterated scripting language JavaScript.
In order to make the technical solutions and advantages of the embodiments of the present application more apparent, the following further detailed description of the exemplary embodiments of the present application with reference to the accompanying drawings makes it clear that the described embodiments are only a part of the embodiments of the present application, and are not exhaustive of all embodiments. It should be noted that the embodiments and features of the embodiments in the present application may be combined with each other without conflict.
The term "and/or" herein is merely an association describing an associated object, meaning that three relationships may exist, e.g., a and/or B, may mean: a exists alone, A and B exist simultaneously, and B exists alone. In addition, the character "/" herein generally indicates that the former and latter related objects are in an "or" relationship.
Example one
Referring to fig. 1, an embodiment of the present application provides a trusted IPSec module, which is applied to a terminal device, and includes:
the REE functional group 11 operates in an REE driving environment and comprises an IPSec protocol encapsulation and analysis module 111 and a TCP/IP protocol stack 112;
a TEE functional group 12 operating in a TEE driving environment, including an IPSec core module 121;
and the storage module 13 is respectively connected with the IPSec protocol encapsulation and analysis module and the IPSec core module.
The TEE drives an environment, i.e., a trusted execution environment, which can guarantee computations that are not disturbed by a conventional operating system, and is therefore referred to as "trusted". In general terms, TEE is an independent execution environment running in parallel with Rich OS, providing security services for Rich OS environments. The TEE driver environment is implemented based on ARM TrustZone, and can access hardware and software security resources independently of Rich OS and applications thereon.
The REE driving environment is an environment common to all mobile devices, and runs a common os (operating system), such as an Android system and an IOS system.
The IPSec protocol encapsulation and analysis module may be a software module or a functional entity that can cooperate with a TCP/IP protocol stack to implement the functions of encapsulating and analyzing an IP protocol data structure for data. It should be noted that, in the solution of the embodiment of the present application, when the IPSec protocol encapsulation and analysis module encapsulates or analyzes data, the IPSec protocol encapsulation and analysis module may not perform an encryption or decryption processing function in the IPSec form on the data.
The IPSec core module may refer to: the key component set for implementing the functions of authentication, encryption, decryption, transceiving of network data based on the IPSec protocol may specifically include, for example, an authentication information base, an IKE negotiation module, an SA database, an encryption/decryption engine, and an IPSec processing module, and so on. The setting can be set by a person of ordinary skill in the art as needed, and the detailed description is not necessary herein.
The storage module may be a memory provided in a module component in the terminal device, may also be a storage independently provided in the terminal device, and may even be a device with a storage function externally connected to the terminal device. Any module or device that has a storage function and can respectively implement data interconnection with the IPSec protocol encapsulation and analysis module and the IPSec core module may be used as the storage module.
Further, if the storage module is a separately provided memory, the number thereof may be one or more. The Memory may include a Read Only Memory (ROM), a Random Access Memory (RAM), a disk Memory, and the like.
Of course, other corresponding function modules may be further disposed in the REE function group and the TEE function group in the embodiment of the present application as needed. For example, the REE function group may further include a CA module, a module for implementing a human-computer interaction function, and the like.
In the trusted IPSec module in the embodiment of the present application, since the IPSec core module is set to operate in the TEE driver environment, key data and processing procedures in the IPSec tunnel establishment process can be processed in the TEE driver environment by using key functions such as hardware isolation, system isolation, and the like in the TEE driver environment; meanwhile, a general IPSec protocol encapsulation analysis processing process and a data calling processing process of a TCP/IP protocol stack can be placed in an REE driving environment for processing, so that the TEE system load is reduced on one hand, the safety and stability of key data information are ensured on the other hand, and the technical effects of ensuring the communication safety and improving the communication efficiency are achieved.
Further, when the terminal device is provided with a TEE client and a TA application, the TEE client operates in an REE driving environment; the TA application is running in a TEE driven environment; wherein the TEE client is interconnected with the TA application.
The TEE client and the TA application may be interconnected, that is, the TEE client and the TA application may complete information intercommunication through a signal instruction of a preset type. For example, the TEE client may enable communication with the TA application through SMC instructions. Various notification instructions, generation types of response signals and transmission modes in the technical scheme of the application can be set by self according to needs, and a person skilled in the art can realize the interconnection function and the corresponding notification and response functions based on various types of signal instructions or various technical modes in the prior art.
Further, the IPSec core module 121 includes:
an authentication information base 1211, an IKE negotiation module 1212, an SA database 1213, an encryption/decryption engine 1214 and an IPSec processing module 1215;
the IPSec core module does not comprise an IPSec protocol encapsulation analysis module and a TCP/IP protocol stack.
It should be noted that the IPSec core module does not include the IPSec encapsulation parsing module and the TCP/IP protocol stack, and the meaning thereof may refer to: each component in the IPSec core module does not have the functions of cooperating with a TCP/IP protocol stack and encapsulating and analyzing data in an IPSec/IP protocol form. Therefore, the universal encapsulation and analysis functions aiming at the IP protocol data can be ensured to be completely carried out under the REE driving environment, and the technical effect of reducing the system complexity of the IPSec core module is achieved.
Further, the IPSec processing module may be a software program having a processing function, or may be a processor, a control device, or the like provided independently. When the IPSec processing module is an independently configured processor, the IPSec processing module may specifically be a general-purpose Central Processing Unit (CPU), or an Application Specific Integrated Circuit (ASIC), or may also be one or more Integrated circuits for controlling program execution.
Still further, the encryption and decryption engine may specifically refer to a module that can perform an IPSec form encryption or decryption processing function on data.
Example two
Referring to fig. 2, a second embodiment of the present application provides a VPN tunnel construction method, which is applied to the IPSec module according to the first embodiment, and the method includes:
step 201: the TEE client sends a starting instruction to enable the IPSec protocol encapsulation and analysis module to encapsulate an IPSec/IP protocol to obtain an IP protocol encapsulation packet, and the IP protocol encapsulation packet is stored in the storage module;
it should be noted that, in the implementation of the method in the second embodiment of the present application, a TEE client and a TA application need to be installed in a terminal device, and the TEE client operates in an REE driving environment; the TA application is running in a TEE driven environment; and the TEE client is interconnected with the TA application.
In the execution process of the step, a user can firstly send an instruction for establishing the VPN tunnel to the TEE client side in various modes such as direct or indirect modes, for example, the instruction for establishing the VPN tunnel can be sent out in a mode of carrying out human-computer interaction and communication with the TEE client side through a CA module; the TEE client may also be made aware of an indication that the user wants to establish the VPN tunnel by presetting an opening condition (e.g., automatically running when the TEE is powered on).
After learning the VPN tunnel establishment instruction of the user, the TEE client can generate and send a starting instruction, and the IPSec protocol encapsulation analysis module can start to encapsulate the IPSec/IP protocol after receiving the starting instruction to obtain an IP protocol encapsulation packet. It should be noted that the IP protocol encapsulation packet may refer to an idle protocol packet which is encapsulated according to the IPSec/IP protocol format and has no service data loaded.
Step 202: and the TEE client sends a tunnel construction instruction carrying VPN tunnel construction requirement information so that the TA application initializes the context environment established by the VPN tunnel based on the tunnel construction instruction.
In the embodiment of the present application, the execution sequence of steps 201 and 202 is not sequential, and may also be performed simultaneously.
The requirement information may be generated based on a VPN tunnel establishment instruction input by a user and fed back by the CA module, or may be related information preset by the system.
Step 203: and the TEE client sends out a first notification instruction so that the TA application notifies the IPSec core module to read the IP protocol encapsulation packet, and loads data information for constructing a VPN tunnel to the IP protocol encapsulation packet to obtain a VPN tunnel transmission data packet.
In the execution process of this step, the IP protocol encapsulation packet may be specifically read from the storage module by a module having a control function in the IPSec core module, and corresponding information such as negotiation and authentication is loaded into an empty IP protocol encapsulation packet to form the VPN tunnel transmission data packet.
Step 204: and sending the VPN tunnel transmission data packet through a trusted peripheral running in the Tee driving environment so that the terminal equipment establishes a VPN tunnel in the Tee driving environment.
The trusted peripheral device may be a module or a device that implements a function of receiving and transmitting data signals, and also operates in a TEE-driven environment. In this step, the VPN tunnel transmission data packet is sent to the opposite end device that establishes the IPSec tunnel through the trusted peripheral, thereby ensuring security and stability during the data signal transceiving process.
Further, the TA application notifies the IPSec core module to read the IP protocol encapsulation packet, and loads data information for constructing a VPN tunnel to the IP protocol encapsulation packet, so as to obtain a VPN tunnel transmission data packet, including:
the TA application sends out a second notification instruction so that an IPSec processing module in the IPSec core module reads tunnel authentication information from an IPSec authentication information base in the IPSec core module; and/or reading negotiation data from an IKE negotiation module in the IPSec core module;
and the IPSec processing module loads the tunnel authentication information and the negotiation data to the IP protocol encapsulation packet to obtain the VPN tunnel transmission data packet.
Further, the terminal device constructs a VPN tunnel in a TEE driver environment, including:
after receiving a tunnel response data packet fed back by a tunnel object, the IPSec processing module stores the response data packet in the storage module, and sends a third notification instruction to the TA application;
the TEE client responds to the TA application, controls the IPSec protocol encapsulation analysis module to acquire and analyze the response data packet, acquires an analysis data packet and stores the analysis data packet in the storage module;
the TEE client sends a fourth notification instruction to the TA application so that the TA application notifies the IPSec processing module to control and read the analysis data packet;
and the IPSec processing module controls and updates corresponding data in the SA database based on the analysis data packet so as to complete VPN tunnel negotiation.
Still further, the IPSec processing module controls and updates the corresponding data in the SA database based on the parsed data packet to complete VPN tunnel negotiation, including:
after controlling and updating the corresponding data in the SA database, the IPSec processing module judges whether the negotiation with the tunnel object is completed;
if not, returning to the step: and the IPSec protocol encapsulation analysis module encapsulates the IPSec/IP protocol based on the tunnel construction instruction to obtain an IP protocol encapsulation packet.
Certainly, in order to record the negotiation cycle number and provide corresponding system recording information for the user, the TEE client sends out a tunnel construction instruction carrying VPN tunnel construction requirement information, which includes:
initializing a value of a counter to a preset value by the TEE client;
if not, returning to the step: the IPSec protocol encapsulation analysis module encapsulates the IPSec/IP protocol based on the tunnel construction instruction to obtain an IP protocol encapsulation packet, and comprises the following steps:
and controlling the counter to adjust the preset value through the TEE client, wherein the adjusted preset value is the original preset value plus a unit value.
Specifically, in the embodiment of the present application, the preset value may be 0, and the unit value may be 1. After the VPN tunnel is established, the user can obtain the total number of negotiations between the local and the opposite end in the VPN tunnel establishment process by querying the final specific value of the preset value.
Various changes and specific examples in the trusted IPSec module in the embodiment in fig. 1 are also applicable to the VPN tunnel construction method in this embodiment, and those skilled in the art can clearly know the implementation method of the VPN tunnel construction method in this embodiment through the foregoing detailed description of the trusted IPSec module, so that details are not described here for brevity of the description.
An embodiment of the present application further provides a terminal device, which includes a storage device, a processing device, and a computer program that is stored in the storage device and is executable on the processing device, where the processing device implements the steps in the tunnel construction method according to the second embodiment when executing the computer program.
An embodiment of the present application further provides a computer-readable storage medium, on which a computer program is stored, where the computer program, when executed by a processor, implements the steps in the tunnel building method according to the second embodiment.
Therefore, according to the technical scheme in the embodiment of the application, the IPSec module in the terminal device can be set as an REE function group operating in an REE driving environment and a TEE function group operating in a TEE driving environment, wherein the REE function group comprises the IPSec protocol encapsulation and analysis module and a TCP/IP protocol stack, and the TEE function group comprises an IPSec core module; and the storage module is respectively connected with the IPSec protocol encapsulation and analysis module and the IPSec core module. In the process of constructing the VPN tunnel, the key data and the processing process in the IPSec tunnel establishing process can be placed in the TEE driving environment for processing by using key functions of hardware isolation, system isolation and the like in the TEE driving environment; meanwhile, a general IPSec protocol encapsulation analysis processing process and a data calling processing process of a TCP/IP protocol stack can be placed in an REE driving environment for processing, so that the TEE system load is reduced on one hand, the safety and stability of key data information are ensured on the other hand, and the technical effects of ensuring the communication safety and improving the communication efficiency are achieved.
The embodiment of the application at least has the following technical effects or advantages:
further, in the technical scheme of the embodiment of the present application, in the negotiation process of tunnel establishment, an IPSec protocol encapsulation and analysis processing process in the REE driving environment and a data retrieval process of a TCP/IP protocol stack may be performed in cooperation with core processing processes such as SA database update, IPSec key data encryption and decryption in the TEE driving environment, so that a VPN tunnel establishment negotiation process is completed in a safe and reliable process. The method has the technical effect of further ensuring the safety and stability of the VPN tunnel.
As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
While the preferred embodiments of the present application have been described, additional variations and modifications in those embodiments may occur to those skilled in the art once they learn of the basic inventive concepts. Therefore, it is intended that the appended claims be interpreted as including preferred embodiments and all alterations and modifications as fall within the scope of the application.
It will be apparent to those skilled in the art that various changes and modifications may be made in the present application without departing from the spirit and scope of the application. Thus, if such modifications and variations of the present application fall within the scope of the claims of the present application and their equivalents, the present application is intended to include such modifications and variations as well.

Claims (7)

1. A VPN tunnel construction method is applied to an IPSec module, and is characterized in that the IPSec module comprises:
the REE functional group runs in an REE driving environment and comprises an IPSec protocol encapsulation and analysis module and a TCP/IP protocol stack;
the TEE functional group runs in a TEE driving environment and comprises an IPSec core module;
the storage module is respectively connected with the IPSec protocol encapsulation and analysis module and the IPSec core module;
the system comprises an authentication information base, an IKE negotiation module, an SA database, an encryption and decryption engine and an IPSec processing module;
when a terminal device bearing the IPSec module is provided with a TEE client and a TA application which are interconnected, the TEE client operates in an REE driving environment, and the TA application operates in the TEE driving environment; the IPSec core module does not comprise an IPSec protocol encapsulation analysis module and a TCP/IP protocol stack;
the VPN tunnel construction method comprises the following steps:
the TEE client sends a starting instruction to enable the IPSec protocol encapsulation and analysis module to encapsulate an IPSec/IP protocol to obtain an IP protocol encapsulation packet, and the IP protocol encapsulation packet is stored in the storage module;
the TEE client sends a tunnel construction instruction carrying VPN tunnel construction requirement information so as to enable the TA application to initialize a context environment established by the VPN tunnel based on the tunnel construction instruction;
the TEE client sends out a first notification instruction so that the TA application notifies the IPSec core module to read the IP protocol encapsulation packet, and loads data information for constructing a VPN tunnel to the IP protocol encapsulation packet to obtain a VPN tunnel transmission data packet;
and sending the VPN tunnel transmission data packet through a trusted peripheral running in the Tee driving environment so that the terminal equipment establishes a VPN tunnel in the Tee driving environment.
2. The method of claim 1, wherein the TA application notifies the IPSec core module to read the IP protocol encapsulation packet, and loads data information for constructing a VPN tunnel to the IP protocol encapsulation packet to obtain a VPN tunnel transmission data packet, and the method comprises:
the TA application sends out a second notification instruction so that an IPSec processing module in the IPSec core module reads tunnel authentication information from an IPSec authentication information base in the IPSec core module; and/or reading negotiation data from an IKE negotiation module in the IPSec core module;
and the IPSec processing module loads the tunnel authentication information and the negotiation data to the IP protocol encapsulation packet to obtain the VPN tunnel transmission data packet.
3. The method of claim 2, wherein the end device constructs the VPN tunnel in a TEE-driven environment, comprising:
after receiving a tunnel response data packet fed back by a tunnel object, the IPSec processing module stores the response data packet in the storage module, and sends a third notification instruction to the TA application;
the TEE client responds to the TA application, controls the IPSec protocol encapsulation analysis module to acquire and analyze the response data packet, acquires an analysis data packet and stores the analysis data packet in the storage module;
the TEE client sends a fourth notification instruction to the TA application so that the TA application notifies the IPSec processing module to control and read the analysis data packet;
and the IPSec processing module controls and updates corresponding data in the SA database based on the analysis data packet to finish VPN tunnel negotiation.
4. The method of claim 3, wherein the IPSec processing module controls updating of corresponding data in the SA database based on the parsed packet, and completes VPN tunnel negotiation, comprising:
after controlling and updating the corresponding data in the SA database, the IPSec processing module judges whether the negotiation with the tunnel object is completed;
if not, returning to the step: and the IPSec protocol encapsulation analysis module encapsulates the IPSec/IP protocol based on the tunnel construction instruction to obtain an IP protocol encapsulation packet.
5. The method of claim 4, wherein the TEE client sends out a tunnel construction instruction carrying VPN tunnel establishment requirement information, and the tunnel construction instruction comprises:
initializing a value of a counter to a preset value by the TEE client;
if not, returning to the step: the IPSec protocol encapsulation analysis module encapsulates the IPSec/IP protocol based on the tunnel construction instruction to obtain an IP protocol encapsulation packet, and comprises the following steps:
and controlling the counter to adjust the preset value through the TEE client, wherein the adjusted preset value is the original preset value plus a unit value.
6. A terminal device comprising storage means, processing means and a computer program stored on said storage means and executable on said processing means, characterized in that said processing means when executing said computer program implement the steps in the tunnel construction method according to any of claims 1-5.
7. A computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, carries out the steps of the tunnel building method according to any one of claims 1 to 5.
CN202010942922.XA 2020-09-09 2020-09-09 Trusted IPSec module and VPN tunnel construction method Active CN112134777B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010942922.XA CN112134777B (en) 2020-09-09 2020-09-09 Trusted IPSec module and VPN tunnel construction method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010942922.XA CN112134777B (en) 2020-09-09 2020-09-09 Trusted IPSec module and VPN tunnel construction method

Publications (2)

Publication Number Publication Date
CN112134777A CN112134777A (en) 2020-12-25
CN112134777B true CN112134777B (en) 2022-02-01

Family

ID=73845367

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010942922.XA Active CN112134777B (en) 2020-09-09 2020-09-09 Trusted IPSec module and VPN tunnel construction method

Country Status (1)

Country Link
CN (1) CN112134777B (en)

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107533609A (en) * 2015-05-29 2018-01-02 英特尔公司 For the system, apparatus and method being controlled to multiple credible performing environments in system
CN108319857A (en) * 2017-12-29 2018-07-24 北京握奇智能科技有限公司 Trusted application adds unlocking method and system

Family Cites Families (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104079570B (en) * 2014-06-27 2017-09-22 东湖软件产业股份有限公司 A kind of trusted network connection method based on IPsec
GB201423362D0 (en) * 2014-12-30 2015-02-11 Mastercard International Inc Trusted execution enviroment (TEE) based payment application
CN106102054A (en) * 2016-05-27 2016-11-09 深圳市雪球科技有限公司 A kind of method and communication system that safe unit is carried out safety management
CN106603487B (en) * 2016-11-04 2020-05-19 中软信息系统工程有限公司 Method for improving security of TLS protocol processing based on CPU space-time isolation mechanism
CN109510836A (en) * 2018-12-14 2019-03-22 济南浪潮高新科技投资发展有限公司 A kind of IPsec session-orient E-Service device and method based on TPM
US10687379B1 (en) * 2018-12-31 2020-06-16 Doron Shaul Shalev Communication apparatus
CN111431718B (en) * 2020-04-01 2022-12-27 中国人民解放军国防科技大学 TEE expansion-based computer universal security encryption conversion layer method and system

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107533609A (en) * 2015-05-29 2018-01-02 英特尔公司 For the system, apparatus and method being controlled to multiple credible performing environments in system
CN108319857A (en) * 2017-12-29 2018-07-24 北京握奇智能科技有限公司 Trusted application adds unlocking method and system

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
基于TrustZone的可信移动终端云服务安全接入方案;杨波等;《软件学报》;20160122(第06期);46-63 *

Also Published As

Publication number Publication date
CN112134777A (en) 2020-12-25

Similar Documents

Publication Publication Date Title
EP3937424B1 (en) Blockchain data processing methods and apparatuses based on cloud computing
US9521119B2 (en) Extensible access control architecture
TWI643508B (en) Smart routing system for IoT smart devices
CN109150688B (en) IPSec VPN data transmission method and device
CN111132138B (en) Transparent communication protection method and device for mobile application program
CN107689868B (en) Communication method and device for client application and trusted application and terminal
US20100228962A1 (en) Offloading cryptographic protection processing
GB2442348A (en) Secure download of a boot image to a remote boot environment of a computer
CN111628976A (en) Message processing method, device, equipment and medium
CN110401640B (en) Trusted connection method based on trusted computing dual-system architecture
EP3779696A1 (en) Service api invoking method and related device
CN112632573B (en) Intelligent contract execution method, device, system, storage medium and electronic equipment
CN110336788A (en) A kind of data safety exchange method of internet of things equipment and mobile terminal
US20190026478A1 (en) Vehicle secure communication method and apparatus, vehicle multimedia system, and vehicle
CN111726328B (en) Method, system and related device for remotely accessing a first device
CN113301537B (en) Method, device, electronic equipment and storage medium for establishing communication connection
CN112134777B (en) Trusted IPSec module and VPN tunnel construction method
CN112187734B (en) IPSec component architecture and VPN tunnel establishment method
CN109995527B (en) Key interaction method and device, upper computer, lower computer and storage medium
US20080196089A1 (en) Generic framework for EAP
CN102663293A (en) Protection method and protection device for video devices of computer
CN102609660A (en) Privacy protection method and privacy protection system for computer video equipment
Urien et al. A new cooperative architecture for sharing services managed by secure elements controlled by android phones with IP objects
Salazar et al. Retrofitting communication security into a publish/subscribe middleware platform
CN113992734A (en) Session connection method, device and equipment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant